The United States Cyber Consequences Unit


Current Course Offerings


The US-CCU has been the world leader for over a decade in anticipating new cyber threats, quantifying their consequences, demonstrating the ROI for counter-measures, and, in general, showing how to implement a quantitative, risk-based approach to cyber security. In response to many requests, we are now offering courses to teach as much as we can of what we have discovered over our years of research. The classes will be small, day-long, and very intensive.

In these courses, we will explain, among other things:

  • how we were able to predict Stuxnet -- all its main features, its exact target, and exactly how it would destroy that target -- fourteen months before it was discovered

  • how we have been able to show companies exactly what new attacks to watch for, so that they can catch them immediately, even though they haven't seen them before

  • how we have been able to credibly quantify losses that sound too intangible to measure, such as damage to customer relationships, damage to reputation, and loss of business information

  • how we were able to provide a better picture of the Russian cyber campaign against Georgia than organizations with vastly more resources and personnel

  • what we have discovered about the steps necessary to make a risk-based approach to cyber security into a practical program

The material covered in these courses will be accessible to those without a technical background, although it will be especially useful to cyber security professionals.

Cyber Security for Senior Management

Learn: Which cyber risks are real and which are mostly hype. How computers and networks actually operate, without the usual technical gobbledygook. What questions to ask cyber security professionals. How to take account of cyber-security in the initial planning of new operations and systems, in order to avoid large costs later. How to tell whether a given cyber-security strategy makes sense.

[Detailed description.]

Dates: To be announced.

Cyber Threat Analysis

Learn: How to anticipate what kinds of cyber attacks are coming, even when they haven’t been seen them yet. How to analyze and model cyber attackers and the way they are developing. What things to watch for and how to understand what they mean. How to estimate how soon or how frequently a given attack will occur. Strategies for threat reduction.

[Detailed description.]

Dates: To be announced.

Cyber Consequence Analysis

Learn: How to estimate the costs of cyber attacks, even when those costs do not take the form of immediate expenditures. In particular, how to estimate the costs of damage to customer relationships, damage to brand, and theft of technical or business information. Strategies for increasing resilience and reducing consequences.

[Detailed description.]

Dates: > To be announced.

Cyber Vulnerability Analysis

Learn: How to see the full range of vulnerabilities from both an offensive and a defensive perspective. How to evaluate vulnerabilities collectively and quantitatively. How to estimate the collective effect of vulnerabilities on prospective losses. Understanding the effects of defensive measures on the expenditures and skill levels needed by attackers.

Dates: To be announced.

Cyber Policy Analysis

Learn: How to estimate the return on investment for different security policies. The reasons for market failures in cyber security and what can be done about them. The reasons for administrative failures in cyber security and what could be done about those. The implications of cyber attacks for corporate, national, and military strategic planning.

Dates: To be announced.

Practical Cyber Intelligence

Learn: How to use sources that are readily available, but under-utilized. How to tie together threat intelligence from difference sources. How to see cyber-attack developments in relation to other kinds of events. Finding the real affiliations of groups that are falsifying their identities. Deducing their technical capabilities. Analyzing probes, scans, and criminal offerings to make counter-moves before the associated attacks.

Dates: To be announced.

Cost of each course: $1,200 for corporate attendees, or $1,000 for government or academic attendees. (Payable by credit card over the phone.)

Venue (in Washington, DC): Carr Workplaces, 12th Floor, Potomac Building, 1001 N. 19th Street in Rosslyn (Arlington), two and a half blocks from the Rosslyn Metro stop and just across the bridge from Georgetown.

Arrangements can also be made for the courses to be taught to groups and at other locations.

Additional information: Please contact the course administrator through email.

Top of Page
  Copyright © 2004- U.S. Cyber Consequences Unit. All Rights Reserved.